Hacker forums suggest PlayStation data is up for sale

An article posted late Thursday on The New York Times website pointed toward increasing evidence that hackers had gained possession of the credit card details of millions of Sony PlayStation gamers.

The news follows the recent attack on Sony’s PlayStation Network and Qriocity, which prompted Sony to temporarily shut the services down. It is thought that the personal data of more than 75 million users was stolen by hackers who infiltrated the system. The sensitive information included names, addresses, dates of birth and passwords.

The Times‘ Nick Bilton says that according to security researchers, recent discussions on several underground Internet forums seemed to suggest that hackers had gained possession of as many as 2.2 million credit card numbers belonging to Sony customers.

The senior threat researcher at security firm Trend Micro, Kevin Stevens, said that the forums indicated the hackers had a database containing the personal information, and that they were hoping to sell it “for upwards of $100,000.” Apparently the hackers had even tried to sell the information back to Sony, but they didn’t receive a reply from the Japanese electronics company.

“Although several researchers confirmed the forum discussions, it was impossible to verify their contents or the existence of the database,” The Times‘ report says.

Sony has claimed that the credit card data is encrypted, but Mathew Solnik, a security consultant with iSEC Partners, a firm that monitors hacker forums, had this to say: “Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers.” Researchers think that hackers could have gained access to Sony’s servers by first hacking the PS3 games console, Solnik told The Times.

This week a lawsuit was filed against Sony for the security breach of its PlayStation Network and loss of user data. In a post on its PlayStation blog on Tuesday, Sony warned gamers to be “especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information.”

It’ll be interesting to see just how many PlayStation gamers return to the network once it’s back up and running. The answer to the following question, posted on the PlayStation blog on Thursday, may prove decisive (once the company actually decides):

“Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?

A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.”